
    
          
  
          

    
  
  
  
  

    
  
  
  
  
  
  
  
  

    
  
  
  
  

    
  
  
      
    
  
  
  

    

    
  
  
  
  

    
  
  
  

    
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  

    
  

    


    
    
    
    
    
    
    
    
  
  
        <!DOCTYPE html>  <html lang="en" itemscope itemtype="http://schema.org/WebPage">    <head>        <meta charset="UTF-8">    <meta http-equiv="X-UA-Compatible" content="IE=edge">    <meta name="viewport" content="width=device-width,initial-scale=1">                  
    
    
        <title>ELF_TSCookie - Linux Malware Used by BlackTech - JPCERT/CC Eyes | JPCERT Coordination Center official Blog</title>
    <meta name="description" content="In the past blog articles, we have introduced TSCookie, PLEAD and IconDown, which are used by BlackTech. It has been identified that this group also uses several other types of malware. While the malware we have already described infects Windows...">
    <meta name="keywords" content="">
  
    
    
    
    
    

  
                      
    
    
        <meta property="og:type" content="website">
    <meta property="og:locale" content="en_US">
    <meta property="og:title" content="ELF_TSCookie - Linux Malware Used by BlackTech - JPCERT/CC Eyes">
    <meta property="og:url" content="https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html">
    <meta property="og:description" content="In the past blog articles, we have introduced TSCookie, PLEAD and IconDown, which are used by BlackTech. It has been identified that this group also uses several other types of malware. While the malware we have already described infects Windows...">
    <meta property="og:site_name" content="JPCERT/CC Eyes">
    <meta property="og:image" content="https://blogs.jpcert.or.jp/en/.assets/thumbnail/tscookie_elf-fig1-800wi.png">
      
    
    
    
    
    

  
                      
    
    
        <meta name="twitter:card" content="summary_large_image">
        <meta name="twitter:title" content="ELF_TSCookie - Linux Malware Used by BlackTech - JPCERT/CC Eyes">
    <meta name="twitter:description" content="In the past blog articles, we have introduced TSCookie, PLEAD and IconDown, which are used by BlackTech. It has been identified that this group also uses several other types of malware. While the malware we have already described infects Windows...">
    <meta name="twitter:image" content="https://blogs.jpcert.or.jp/en/.assets/thumbnail/tscookie_elf-fig1-800wi.png">
  
    
    
    
    
    

  
                      
    
    
        <meta itemprop="description" content="In the past blog articles, we have introduced TSCookie, PLEAD and IconDown, which are used by BlackTech. It has been identified that this group also uses several other types of malware. While the malware we have already described infects Windows...">
    <link itemprop="url" href="https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html">
    <link itemprop="image" href="https://blogs.jpcert.or.jp/en/.assets/thumbnail/tscookie_elf-fig1-800wi.png">
  
    
    
    
    
    

  
            <link rel="start" href="/en/">    <link rel="alternate" type="application/atom+xml" href="/en/atom.xml">        <link rel="stylesheet" href="/en/common/css/styles.css">    <link rel="shortcut icon" type="image/x-icon" href="/en/common/images/favicon.ico">    <link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.css" integrity="sha256-NuCn4IvuZXdBaFKJOAcsU2Q3ZpwbdFisd5dux4jkQ5w=" crossorigin="anonymous" />    <!--[if lt IE 9]>    <script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv.min.js" integrity="sha256-3Jy/GbSLrg0o9y5Z5n1uw0qxZECH7C6OQpVBgNFYa0g=" crossorigin="anonymous"></script>    <script src="//cdnjs.cloudflare.com/ajax/libs/respond.js/1.4.2/respond.min.js" integrity="sha256-g6iAfvZp+nDQ2TdTR/VVKJf3bGro4ub5fvWSWVRi2NE=" crossorigin="anonymous"></script>    <![endif]-->              <!-- Global site tag (gtag.js) - Google Analytics -->
    <script async src="https://www.googletagmanager.com/gtag/js?id=UA-124034031-1"></script>
    <script>
      window.dataLayer = window.dataLayer || [];
      function gtag(){dataLayer.push(arguments);}
      gtag('js', new Date());

      gtag('config', 'UA-124034031-1');
    </script>
                
        <link rel="canonical" href="https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html" />

  
      </head>  <body class="page_english">              
    <!-- prepend body -->

  
            
  
  
        
    
    <header class="header  header--bottom">
    <div class="header__inner clearfix">
      <p class="header__logo">
        <a href="https://www.jpcert.or.jp/english/" target="_blank">
          <img class="header__logo__src" src="/en/common/images/header_logo.svg" width="198" height="66" alt="JPCERT/CC Eyes">
        </a>
      </p>
      <h1 class="header__title">
        <a class="header__title__link" href="/en/">JPCERT/CC Eyes</a>
      </h1>
      <h2  class="header__description">JPCERT Coordination Center official Blog</h2>
      <div class="header__lang">
        <p class="header__lang__cell-label">Language:</p>
        <div class="header__lang__cell-field">
          <select class="header__lang__switcher" onchange="location.href = this.value;">
            <option value="/ja/">日本語</option>
            <option selected value="/en/">English</option>
                      </select>
        </div>
      </div>
    </div>
  </header>

    


        
    
    
        
                  
    <section class="breadcrumb-navi">
      <div class="inner">
        <a href="/en/">Top</a>&nbsp;&gt;&nbsp;<a href="https://blogs.jpcert.or.jp/en/malware/">List of &ldquo;Malware&rdquo;</a>&nbsp;&gt;&nbsp;ELF_TSCookie - Linux Malware Used by BlackTech
      </div>
    </section>

        
        
  
    
    
    
    
    


        <div id="content" class="clearfix">

            <div id="main-wrapper">
        <main role="main">

                    
        
    <article id="entry-1375152" class="entry">

        
    
    
    
    <div class="entry-meta clearfix">

    <div class="entry-author">
      <figure>
        <a href="https://blogs.jpcert.or.jp/en/shu_tom/">
          <img src="https://movabletype.net/users/shu_tom/ENCORE_400x400.jpg" width="50" height="50" alt="朝長 秀誠 (Shusei Tomonaga)">
        </a>
      </figure>
      <p><a href="https://blogs.jpcert.or.jp/en/shu_tom/">朝長 秀誠 (Shusei Tomonaga)</a></p>
    </div>

    <div class="entry-date">
      <time datetime="2020-03-05T00:00:00+09:00">March  5, 2020</time>
    </div>

  </div>

    
    
    


        <h2 class="entry-title">ELF_TSCookie - Linux Malware Used by BlackTech</h2>

        
    
        
    

        
  
        
    

        
  
        <section class="entry-tags">
      <ul>

        
                    
                    
                    
        
                    
                    
                        
            <li>
              <a href="https://blogs.jpcert.or.jp/en/tags/blacktech/">BlackTech</a>
            </li>

                        
          
                    
        
      </ul>
    </section>
  


        
    
    
    <div class="entry-social-buttons  entry-social-buttons--before-content  clearfix">
    <ul>
      <li class="entry-social-twitter">
        <a href="https://twitter.com/share" class="twitter-share-button" data-text="ELF_TSCookie - Linux Malware Used by BlackTech" data-url="https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html" data-show-count="false"></a>
      </li>
      <li class="entry-social-mail">
        <a href="mailto:?subject=ELF_TSCookie%20-%20Linux%20Malware%20Used%20by%20BlackTech&amp;body=https%3A%2F%2Fblogs.jpcert.or.jp%2Fen%2F2020%2F03%2Felf-tscookie.html">Email</a>
      </li>
    </ul>
  </div>

    
    


        <section class="entry-content clearfix">
      <p>In the past blog articles, we have introduced <a href="https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html" title="TSCookie" target="_blank">TSCookie</a>, <a href="https://blogs.jpcert.or.jp/en/2018/06/plead-downloader-used-by-blacktech.html" title="PLEAD" target="_blank">PLEAD</a> and <a href="https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html" title="IconDown" target="_blank">IconDown</a>, which are used by BlackTech. It has been identified that this group also uses several other types of malware. While the malware we have already described infects Windows OS, we have also confirmed that there are TSCookie and PLEAD variants that infect Linux OS. <br />
This article describes TSCookie for Linux, used by BlackTech.</p>

<h3>Difference between TSCookie for Windows and Linux</h3>

<p>The function of the two are mostly the same, as many parts of the code are identical. Figure 1 shows the comparison of code in TSCookie for Windows and for Linux. 
<figure class="mt-figure mt-figure-center"><a class="mt-asset-link" href="https://blogs.jpcert.or.jp/en/.assets/tscookie_elf-fig1.png"><img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/tscookie_elf-fig1-640wri.png" width="500" alt="Comparison of code in TSCookie for Windows and Linux" class="asset asset-image at-xid-1169440 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/></a><figcaption>Figure 1: Comparison of code in TSCookie for Windows and Linux</br>(Left: Windows Right: Linux)</figcaption></figure></p>

<p>While they are mostly the same in terms of the code, the Linux version operates differently with the following characteristics:</p>

<ul>
<li>Less configuration</li>
<li>Supports custom communication protocol only</li>
<li>Several functions available by default</li>
</ul>

<p>The details are explained in the next sections.</p>

<h3>Less configuration data</h3>

<p>As it was described in <a href="https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html" title="the past blog entry" target="_blank">the past blog entry</a> (Appendix A: TSCookie Configuration), TSCookie for Windows has 17 sets of configuration within the 0xB78 data size. On the other hand, it is reduced to 5 in the Linux version, and the configuration on proxy communication and others have been excluded. See Appendix A for details. <br />
In the Windows version, the configuration is RC4-encrypted and hardcoded in the malware. For the Linux version, however, information such as C&amp;C server is copied as a plain text into a dedicated area in the memory and then RC4-encrypted.It is uncertain why the Linux version malware does not encrypt the configuration with RC4 from the beginning, but it is possible that coding some parts did not work when copying the code from the Windows version to the Linux one.
<figure class="mt-figure mt-figure-center"><a class="mt-asset-link" href="https://blogs.jpcert.or.jp/en/.assets/tscookie_elf-fig2.png"><img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/tscookie_elf-fig2-640wri.png" width="500" alt="Code for creating configuration" class="asset asset-image at-xid-1169440 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/></a><figcaption>Figure 2: Code for creating configuration</figcaption></figure></p>

<h3>Supports custom communication protocol only</h3>

<p>While TSCookie for Windows supports several communication protocols (HTTP, HTTPS and custom protocol), the Linux version only supports its custom protocol. Figure 3 shows a part of code for communication. It is clear that the code only covers the custom protocol.
<figure class="mt-figure mt-figure-center"><a class="mt-asset-link" href="https://blogs.jpcert.or.jp/en/.assets/tscookie_elf-fig3.png"><img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/tscookie_elf-fig3-640wri.png" width="500" alt="Comparison of communication in TSCookie for Windows and Linux" class="asset asset-image at-xid-1169440 mt-image-center" style="display: block; margin-left: auto; margin-right: auto;"/></a><figcaption>Figure 3: Comparison of communication in TSCookie for Windows and Linux</br>(Left: Windows version Right: Linux version)</figcaption></figure></p>

<p>The payload itself is RC4-encrypted in both versions, and the format of the data as well as the commands received in reply remain mostly the same. (See Appendix B for details.)</p>

<h3>Several functions available by default</h3>

<p>TSCookie for Windows downloads modules and operates accordingly. The Linux version has the following functions by default, so it conducts malicious activities without downloading extra modules. (See Appendix C for details.)</p>

<ul>
<li>Execute arbitrary shell command</li>
<li>Operate files (list, delete, move)</li>
<li>Upload/Download files</li>
</ul>

<h3>In closing</h3>

<p>It is assumed that the malware is embedded in a Linux server of a victim organisation by an attacker after intrusion. If you find any type of malware related to Blacktech in your network, it is recommended that you also check your Linux environment. Please see Appendix D for the list of C&amp;C servers.</p>

<p>Shusei Tomonaga <br />
(Translated by Yukako Uchida)</p>

<h4>Appendix A: ELF_TSCookie Configuration</h4>

<table>
<tbody>
<caption>Table A: Configuration</caption>
<tr>
<td style="background-color: #d3ddff; width: 100px; text-align: center;">Offset</td>
<td style="background-color: #d3ddff; width: 250px; text-align: center;">Description</td>
<td style="background-color: #d3ddff; width: 350px; text-align: center;">Remarks</td>
</tr>
<tr>
<td style="text-align: center;">0x000</td>
<td>Destination server and port number</td>
<td>Multiple hosts can be specified by listing with a semicolon ";"</td>
</tr>
<tr>
<td style="text-align: center;">0x400</td>
<td>RC4 key</td>
<td>Used for encrypting communication</td>
</tr>
<tr>
<td style="text-align: center;">0x40C</td>
<td>Campaign ID</td>
<td></td>
</tr>
<tr>
<td style="text-align: center;">0x44C</td>
<td>Communication mode</td>
<td>Only supports a custom protocol</td>
</tr>
<tr>
<td style="text-align: center;">0x454</td>
<td>Not used</td>
<td></td>
</tr>
</tbody>
</table>

<h4>Appendix B: Data exchanged by ELF_TSCookie</h4>

<table>
<tbody>
<caption>Table B-1: Format of sent data</caption>
<tr>
<td style="background-color: #d3ddff; width: 100px; text-align: center;">Offset</td>
<td style="background-color: #d3ddff; width: 100px; text-align: center;">Length</td>
<td style="background-color: #d3ddff; width: 500px; text-align: center;">Contents</td>
</tr>
<tr>
<td style="text-align: center;">0x00</td>
<td>4</td>
<td>Number of received data (begins with 0xFFFFFFFF)</td>
</tr>
<tr>
<td style="text-align: center;">0x04</td>
<td>4</td>
<td>Length of data sent</td>
</tr>
<tr>
<td style="text-align: center;">0x08</td>
<td>4</td>
<td>Packet number (Used to divide data when the data length is larger than 65440)</td>
</tr>
<tr>
<td style="text-align: center;">0x0C</td>
<td>4</td>
<td>Command (begins with 0x7263BC02)</td>
</tr>
<tr>
<td style="text-align: center;">0x10</td>
<td>4</td>
<td>Whether the data after 0x20 is RC4-encrypted</td>
</tr>
<tr>
<td style="text-align: center;">0x14</td>
<td>4</td>
<td>Not used</td>
</tr>
<tr>
<td style="text-align: center;">0x18</td>
<td>4</td>
<td>0x3001</td>
</tr>
<tr>
<td style="text-align: center;">0x1C</td>
<td>4</td>
<td>RC4 key (random data)</td>
</tr>
<tr>
<td style="text-align: center;">0x20</td>
<td>-</td>
<td>Data to be sent (See B-2 for the first communication)</td>
</tr>
</tbody>
</table>

<ul>
<li>Up to offset 0x1C, the contents are encrypted with the RC4 key and random data in the configuration.</li>
</ul>

<table>
<tbody>
<caption>Table B-2: Format of data sent in the first communication after offset 0x20</caption>
<tr>
<td style="background-color: #d3ddff; width: 100px; text-align: center;">Offset</td>
<td style="background-color: #d3ddff; width: 100px; text-align: center;">Length</td>
<td style="background-color: #d3ddff; width: 500px; text-align: center;">Contents</td>
</tr>
<tr>
<td style="text-align: center;">0x00</td>
<td>4</td>
<td>0x9A65001F</td>
</tr>
<tr>
<td style="text-align: center;">0x04</td>
<td>4</td>
<td>Process ID</td>
</tr>
<tr>
<td style="text-align: center;">0x08</td>
<td>4</td>
<td>Command (0x7263BC02 at the beginning)</td>
</tr>
<tr>
<td style="text-align: center;">0x0C</td>
<td>4</td>
<td>Not used</td>
</tr>
<tr>
<td style="text-align: center;">0x10</td>
<td>4</td>
<td>Data size after offset 0x14</td>
</tr>
<tr>
<td style="text-align: center;">0x14</td>
<td>-</td>
<td>Random data</td>
</tr>
</tbody>
</table>

<ul>
<li>Up to offset 0x14, the contents are encrypted with RC4 key and random data in the configuration.</li>
</ul>

<table>
<tbody>
<caption>Table B-3: Format of received data</caption>
<tr>
<td style="background-color: #d3ddff; width: 100px; text-align: center;">Offset</td>
<td style="background-color: #d3ddff; width: 100px; text-align: center;">Length</td>
<td style="background-color: #d3ddff; width: 500px; text-align: center;">Contents</td>
</tr>
<tr>
<td style="text-align: center;">0x00</td>
<td>4</td>
<td>Number of received data</td>
</tr>
<tr>
<td style="text-align: center;">0x04</td>
<td>4</td>
<td>Length of received data</td>
</tr>
<tr>
<td style="text-align: center;">0x0C</td>
<td>4</td>
<td>Command</td>
</tr>
<tr>
<td style="text-align: center;">0x10</td>
<td>4</td>
<td>Whether the data after 0x20 is RC4-encrypted</td>
</tr>
<tr>
<td style="text-align: center;">0x1C</td>
<td>4</td>
<td>RC4 key</td>
</tr>
<tr>
<td style="text-align: center;">0x20</td>
<td>-</td>
<td>Data</td>
</tr>
</tbody>
</table>

<ul>
<li>Up to offset 0x1C, the contents are encrypted with RC4 key in the configuration and another key in the received data.</li>
</ul>

<h4>Appendix C: ELF_TSCookie commands</h4>

<table>
<tbody>
<caption>Table C: Commands</caption>
<tr>
<td style="background-color: #d3ddff; width: 100px; text-align: center;">Value</td>
<td style="background-color: #d3ddff; width: 300px; text-align: center;">Contents</td>
</tr>
<tr>
<td style="text-align: center;">0x7200AC03</td>
<td>Launch remote shell</td>
</tr>
<tr>
<td style="text-align: center;">0x7200AC04</td>
<td>Send a command to remote shell</td>
</tr>
<tr>
<td style="text-align: center;">0x7200AC05</td>
<td>End remote shell</td>
</tr>
<tr>
<td style="text-align: center;">0x7200AC07</td>
<td>-</td>
</tr>
<tr>
<td style="text-align: center;">0x7200AC0B</td>
<td>Returns 0x7263BC06</td>
</tr>
<tr>
<td style="text-align: center;">0x7200AC0C</td>
<td>List files</td>
</tr>
<tr>
<td style="text-align: center;">0x7200AC0D</td>
<td>Download file</td>
</tr>
<tr>
<td style="text-align: center;">0x7200AC0E</td>
<td>Upload file</td>
</tr>
<tr>
<td style="text-align: center;">0x7200AC11</td>
<td>-</td>
</tr>
<tr>
<td style="text-align: center;">0x7200AC13</td>
<td>End bot</td>
</tr>
<tr>
<td style="text-align: center;">0x7200AC16</td>
<td>Delete file</td>
</tr>
<tr>
<td style="text-align: center;">0x7200AC1A</td>
<td>Move file</td>
</tr>
<tr>
<td style="text-align: center;">0x7200AC10</td>
<td>Execute command</td>
</tr>
</tbody>
</table>

<h4>Appendix D: C&amp;C servers</h4>

<ul>
<li>app.dynamicrosoft.com</li>
<li>home.mwbsys.org</li>
</ul>

<h4>Appendix E: Hash</h4>

<ul>
<li>fc863fbd71e22c99eaa2b1b0eb72d806cedeb536213e600afb03f0fbea9d2bb3</li>
</ul>

      

    </section>

        
    
    
    <div class="entry-social-buttons  entry-social-buttons--after-content  clearfix">
    <ul>
      <li class="entry-social-twitter">
        <a href="https://twitter.com/share" class="twitter-share-button" data-text="ELF_TSCookie - Linux Malware Used by BlackTech" data-url="https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html" data-show-count="false"></a>
      </li>
      <li class="entry-social-mail">
        <a href="mailto:?subject=ELF_TSCookie%20-%20Linux%20Malware%20Used%20by%20BlackTech&amp;body=https%3A%2F%2Fblogs.jpcert.or.jp%2Fen%2F2020%2F03%2Felf-tscookie.html">Email</a>
      </li>
    </ul>
  </div>

    
    


        
    
    
          
    <section class="entry-author-detail">
    <div class="entry-author-detail-header">
      <p class="title">Author</p>
    </div>

    <div class="entry-author-detail-body clearfix">
      <figure>
        <img src="https://movabletype.net/users/shu_tom/ENCORE_400x400.jpg" width="90" height="90" alt="朝長 秀誠 (Shusei Tomonaga)">
      </figure>
      <div class="entry-author-detail-body-text">
        <p class="name"><a href="https://blogs.jpcert.or.jp/en/shu_tom/">朝長 秀誠 (Shusei Tomonaga)</a></p>
        <div class="profile">
          <p>








































Since December 2012, he has been engaged in malware analysis and forensics investigation, and is especially involved in analyzing incidents of targeted attacks. Prior to joining JPCERT/CC, he was engaged in security monitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV, BlackHat USA Arsenal, Botconf, PacSec and FIRST Conference. JSAC organizer.


</p>
        </div>
      </div>
    </div>
  </section>

    
    
    


        
    
  

<!-- Feedback -->
<div id="fb" class="feedback feedback_noscript">
  <form name="feedback_form" id="feedback_form">
    <p class="title">Was this page helpful?</p>
    <div class="inner">
      <p class="select">
        <label><input name="is_useful" id="is_usefull_yes" value="yes" type="radio">Yes</label>
        <label><input name="is_useful" id="is_usefull_no" value="no" type="radio">No</label>
      </p>
      <p class="result"><span class='count'>0</span> people found this content helpful.</p>
    </div>
    <p class="title">If you wish to make comments or ask questions, please use this form.</p>
    <div class="inner">
      <p class="message">This form is for comments and inquiries. For any questions regarding specific commercial products, please contact the vendor.</p>
      <div class="container_a">
        <div class="container_b">
          <textarea name="free_text" id="free_text" cols="30" rows="3"></textarea>
        </div>
      </div>
      <p class="send_area">
        <span class="en_js_msg">please change the setting of your browser to set JavaScript valid.</span>
        <span class="loader" style="display:none"><img src="/en/common/images/fb_loader.gif" alt=""></span>
        <span class="thanks">Thank you!</span>
        <input class="button" type="button" disabled value="Send">
      </p>
    </div>
    <input name="redirect_to" id="redirect_to" value="" type="hidden">
    <input name="feedback_host" id="feedback_host" value="//ws.jpcert.or.jp/cgi-bin/" type="hidden">
    <input name="uri" id="uri" value="" type="hidden">
    <input name="token" id="token" value="" type="hidden">
  </form>
</div>
<!-- //-------- feedback --------------------->



    


        
    
      
    
                      <section class="relation-entrylist">
          <nav>
            <h1>Related articles</h1>
            <ul>
      
                            
              <li>
                <a href="https://blogs.jpcert.or.jp/en/2021/10/windealer.html" class="clearfix">
                  <figure>
                    <img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/windealer01_png_en-320wi.png" alt="Malware WinDealer used by LuoYu Attack Group" class="entry-thumbnail">
                  </figure>
                  <div class="detail">
                    <p class="title">Malware WinDealer used by LuoYu Attack Group</p>
                  </div>
                </a>
              </li>

                            
                
                            
              <li>
                <a href="https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html" class="clearfix">
                  <figure>
                    <img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/gh0sttimes-fig8-47276bfe-589fd11c-320wi.png" alt="Malware Gh0stTimes Used by BlackTech" class="entry-thumbnail">
                  </figure>
                  <div class="detail">
                    <p class="title">Malware Gh0stTimes Used by BlackTech</p>
                  </div>
                </a>
              </li>

                            
                
                            
              <li>
                <a href="https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html" class="clearfix">
                  <figure>
                    <img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/lodeinfo3-fig2-320wi.png" alt="Further Updates in LODEINFO Malware" class="entry-thumbnail">
                  </figure>
                  <div class="detail">
                    <p class="title">Further Updates in LODEINFO Malware</p>
                  </div>
                </a>
              </li>

                            
                
                            
              <li>
                <a href="https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html" class="clearfix">
                  <figure>
                    <img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/lazarus3-fig2-320wi.png" alt="Operation Dream Job by Lazarus" class="entry-thumbnail">
                  </figure>
                  <div class="detail">
                    <p class="title">Operation Dream Job by Lazarus</p>
                  </div>
                </a>
              </li>

                            
                
                            
              <li>
                <a href="https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html" class="clearfix">
                  <figure>
                    <img src="https://blogs.jpcert.or.jp/en/.assets/thumbnail/quasar-fig16-320wi.png" alt="Attack Activities by Quasar Family" class="entry-thumbnail">
                  </figure>
                  <div class="detail">
                    <p class="title">Attack Activities by Quasar Family</p>
                  </div>
                </a>
              </li>

                            
                  </ul>
          </nav>
        </section>
            
    
    
    


        
    
    
    <section class="entry-navi">
    <div class="entry-navi-prev">
              <a href="https://blogs.jpcert.or.jp/en/2020/02/malware-lodeinfo-targeting-japan.html">Back</a>
          </div>
    <div class="entry-navi-home">
      <a href="/en/">Top</a>
    </div>
    <div class="entry-navi-next">
              <a href="https://blogs.jpcert.or.jp/en/2020/03/ics-security-conference-2020-report--part1.html">Next</a>
          </div>
  </section>

    
    


  </article>



  

        </main>
      </div>

            
    <aside>

        
    <div class="google-search">
    <script>
      (function() {
        var cx = '004990004422359256493:nnhwqqlx864';
        var gcse = document.createElement('script');
        gcse.type = 'text/javascript';
        gcse.async = true;
        gcse.src = (document.location.protocol == 'https:' ? 'https:' : 'http:') +
            '//cse.google.com/cse.js?cx=' + cx;
        var s = document.getElementsByTagName('script')[0];
        s.parentNode.insertBefore(gcse, s);
      })();
    </script>
    <gcse:search></gcse:search>
  </div>



        
        <section id="side-categories" class="categorylist">
      <nav>
        <h1>Categories</h1>
        <ul>

          
                        
                                      <li>
                                  <span class="bullet" style="background-color: #6484c5"></span><a href="https://blogs.jpcert.or.jp/en/malware/">Malware</a>
                
                              </li>
            
                        
          
                        
                                      <li>
                                  <span class="bullet" style="background-color: #fca001"></span><a href="https://blogs.jpcert.or.jp/en/incident/">Incident</a>
                
                              </li>
            
                        
          
                        
                                      <li>
                                  <span class="bullet" style="background-color: #9ec700"></span><a href="https://blogs.jpcert.or.jp/en/event/">Event</a>
                
                              </li>
            
                        
          
                        
                                      <li>
                                  <span class="bullet" style="background-color: #009e9f"></span><a href="https://blogs.jpcert.or.jp/en/vulnerability/">Vulnerability</a>
                
                              </li>
            
                        
          
                        
                                      <li>
                                  <span class="bullet" style="background-color: #0172b6"></span><a href="https://blogs.jpcert.or.jp/en/security-technology/">Security Technology</a>
                
                              </li>
            
                        
          
                        
                                      <li>
                                  <span class="bullet" style="background-color: #a1017f"></span><a href="https://blogs.jpcert.or.jp/en/forensic/">Forensic</a>
                
                              </li>
            
                        
          
                        
                                      <li>
                                  <span class="bullet" style="background-color: #838383"></span><a href="https://blogs.jpcert.or.jp/en/other/">Other</a>
                
                              </li>
            
                        
          
                        
                        
                        
          
        </ul>
      </nav>
    </section>
  


        
        
            
            
            
    
            
            
            
    
            
            
            
    
            
            
            
    
            
            
            
    
            
            
            
    
            
            
            
    
            
                    <section id="side-tags" class="taglist">
          <nav>
            <h1>Tags</h1>

                          <ul>
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/python/">Python</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/conference/">Conference</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/datper/">Datper</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/chches/">ChChes</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/training/">Training</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/cybergreen/">Statistics and Indicator</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/tool/">Tool</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/blacktech/">BlackTech</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/logontracer/">LogonTracer</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/report/">Report</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/splunk/">Splunk</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/elasticstack/">ElasticStack</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/impfuzzy/">impfuzzy</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/volatility/">volatility</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/redleaves/">RedLeaves</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/plugx/">PlugX</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/darkhotel/">DarkHotel</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/banking-malware/">Banking malware</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/pacific-islands/">Pacific_Islands</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/csirt/">CSIRT</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/password/">Password</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/policy/">Policy</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/ddos/">DDoS</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/apt/">APT</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/trend/">Trend</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/africa/">Africa</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/securecoding/">SecureCoding</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/sysmonsearch/">SysmonSearch</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/jsac/">JSAC</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/iot/">IoT</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/iiot/">IIoT</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/quasar/">Quasar</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/lodeinfo/">LODEINFO</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/lazarus/">Lazarus</a>
                                  </li>

                                
                                        
                                
                <li>
                                      <a href="https://blogs.jpcert.or.jp/en/tags/emotet/">Emotet</a>
                                  </li>

                                
              </ul>            
          </nav>
        </section>
      
            
      


        
      <div id="ranklet-10936"></div>
  


        
    
              <section id="side-members" class="memberlist">
        <nav>
          <h1>Authors</h1>
          <ul class="clearfix">
    
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/SHIKAPON/">
                  <img src="https://movabletype.net/users/SHIKAPON/matsu.png" alt="鹿野 恵祐 (Keisuke Shikano)" title="鹿野 恵祐 (Keisuke Shikano)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/sekiguchi/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="関口　晃弘 (Akihiro Sekiguchi)" title="関口　晃弘 (Akihiro Sekiguchi)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/reto/">
                  <img src="https://movabletype.net/users/reto/Q6VN1jSR_400x400.jpg" alt="衛藤 亮介 (Ryosuke Eto)" title="衛藤 亮介 (Ryosuke Eto)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/ikuya/">
                  <img src="https://movabletype.net/users/ikuya/profile_icon.png" alt="福本 郁哉（Ikuya Fukumoto）" title="福本 郁哉（Ikuya Fukumoto）" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/s-tanaka/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="田中 信太郎（Shintaro Tanaka） " title="田中 信太郎（Shintaro Tanaka） " width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/yutafuchikami/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="渕上侑汰（Yuta Fuchikami）" title="渕上侑汰（Yuta Fuchikami）" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/horata/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="洞田 慎一 (Shinichi Horata)" title="洞田 慎一 (Shinichi Horata)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/t.mizuno/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="水野 哲也 (Tetsuya Mizuno)" title="水野 哲也 (Tetsuya Mizuno)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/Moris/">
                  <img src="https://movabletype.net/users/Moris/森克宏01.jpg" alt="森　克宏(Katsuhiro Mori)" title="森　克宏(Katsuhiro Mori)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/shu_tom/">
                  <img src="https://movabletype.net/users/shu_tom/ENCORE_400x400.jpg" alt="朝長 秀誠 (Shusei Tomonaga)" title="朝長 秀誠 (Shusei Tomonaga)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/mochidai/">
                  <img src="https://movabletype.net/users/mochidai/ProfileJPG.jpg" alt="持永 大 (Dai Mochinaga)" title="持永 大 (Dai Mochinaga)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/moto/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="川崎 基夫 (moto kawasaki)" title="川崎 基夫 (moto kawasaki)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/kkomiyama/">
                  <img src="https://movabletype.net/users/kkomiyama/photo_sparky_small.jpg" alt="小宮山 功一朗 (Koichiro Sparky Komiyama)" title="小宮山 功一朗 (Koichiro Sparky Komiyama)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/teramoto/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="寺本 健悟(Kengo Teramoto)" title="寺本 健悟(Kengo Teramoto)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/masubuchi/">
                  <img src="https://movabletype.net/users/masubuchi/blog_image.png" alt="増渕 維摩(Yuma Masubuchi)" title="増渕 維摩(Yuma Masubuchi)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/hori-32tk/">
                  <img src="https://movabletype.net/users/hori-32tk/画像の貼り付け先_-2021-3-18-22-18.png" alt="堀 充孝（Mitsutaka Hori）" title="堀 充孝（Mitsutaka Hori）" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/kino/">
                  <img src="https://movabletype.net/users/kino/image-992ce083-832a-45c5-a3d8-5922b68506a7.jpg" alt="喜野 孝太(Kota Kino)" title="喜野 孝太(Kota Kino)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/uchida/">
                  <img src="https://movabletype.net/users/uchida/14190908.jpg" alt="内田 有香子 (Yukako Uchida)" title="内田 有香子 (Yukako Uchida)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/sajo/">
                  <img src="https://movabletype.net/users/sajo/Sajo0191031.jpg" alt="佐條 研(Ken Sajo)" title="佐條 研(Ken Sajo)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/Tomotaka/">
                  <img src="https://movabletype.net/users/Tomotaka/Tomotaka-Ito.jpg" alt="伊藤 智貴 (Tomo Ito)" title="伊藤 智貴 (Tomo Ito)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/tnakano/">
                  <img src="https://movabletype.net/users/tnakano/tapioka_square.jpg" alt="中野 巧 (Takumi Nakano)" title="中野 巧 (Takumi Nakano)" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/shoko/">
                  <img src="/en/common/images/default-userpic-90.jpg" alt="中井 尚子（Shoko Nakai）" title="中井 尚子（Shoko Nakai）" width="50">
                </a>
              </li>
            
                        
          
                        
                          <li>
                <a href="https://blogs.jpcert.or.jp/en/retiree_blog/">
                  <img src="https://movabletype.net/users/retiree_blog/j_icon72_400x400.jpg" alt="JPCERT/CC" title="JPCERT/CC" width="50">
                </a>
              </li>
            
                        
          
                        
            
                        
              </ul>
        </nav>
      </section>
      
    


    
        
              <section id="side-monthly-archive" class="archivelist">
        <nav>
          <h1>Archives</h1>
          <ul>
    
                
        <li><a href="https://blogs.jpcert.or.jp/en/2021/">2021</a><small>20</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2020/">2020</a><small>21</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2019/">2019</a><small>18</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2018/">2018</a><small>12</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2017/">2017</a><small>17</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2016/">2016</a><small>18</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2015/">2015</a><small>20</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2014/">2014</a><small>18</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2013/">2013</a><small>7</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2012/">2012</a><small>2</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2011/">2011</a><small>8</small></li>

                
          
                
        <li><a href="https://blogs.jpcert.or.jp/en/2010/">2010</a><small>4</small></li>

                
              </ul>
        </nav>
      </section>
      


  </aside>



    </div>

        
    
    <footer class="footer">
    <div class="footer__inner">
      <div class="footer__information">
        <div class="footer__information__cell-logo">
          <p class="footer__information__logo">
            <a href="https://www.jpcert.or.jp/english/" target="_blank">
              <img style="margin-top:3px" class="footer__information__logo__src" src="/en/common/images/footer_logo.svg" width="188" height="48" alt="JPCERT Coordination Center">
            </a>
          </p>
        </div>
        <div class="footer__information__cell-company">
          <dl class="footer__information__company">
            <dt class="footer__information__company__name">JPCERT/CC</dt>
            <dd  class="footer__information__company__data">
              <address class="footer__information__company__data__address">8F Tozan Bldg, 4-4-2 Nihonbashi-Honcho, Chuo-ku, Tokyo 1030023 JAPAN</address>
              <p class="footer__information__company__data__tel">TEL: +81-3-6271-8901　FAX: +81-3-6271-8908</p>
            </dd>
          </dl>
        </div>
        <div class="footer__information__cell-navigation">
          <ul class="footer__information__navigation">
            <li class="footer__information__navigation__item"><a class="footer__information__navigation__link" href="https://blogs.jpcert.or.jp/en/privacy-policy.html" target="_blank">Privacy Policy</a></li>
            <li class="footer__information__navigation__item"><a class="footer__information__navigation__link" href="https://blogs.jpcert.or.jp/en/disclaimer.html" target="_blank">Disclaimer</a></li>
          </ul>
        </div>
      </div>
      <p class="footer__copyright">Copyright &copy; 1996-2021 JPCERT/CC All Rights Reserved.</p>
    </div>
  </footer>

    


  </body>
  </html>

    

              
        <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>

        <script src="/en/common/js/prototype.js"></script>
    <script src="/en/common/feedback/script.js"></script>

  
                              <script src="//tracker.iws.vc/v1/ranklet/s3/widgets/10936/widget.js" async defer></script>
      </body>  </html>        